Skip to content

Instantly share code, notes, and snippets.

@fxb6476 fxb6476/Disclosure
Last active Oct 15, 2019

Embed
What would you like to do?
CVE-2019-17502
[Vulnerability Description]
- Hydra through 0.1.8 has a NULL pointer dereference and daemon crash when processing POST requests
that lack a 'Content-Length' header. The issue comes from the process_header_end() function, which
calls boa_atoi(), which ultimately calls aoti() on a null pointer.
[Additional Information]
- The Hydra web server is widely used by embedded networking equipment, such as switches, and embedded devices in general.
Because of this fact, it is very difficult to specify device models or vendors that may be impacted by this vulnerability.
Rudimentary scans using Shodan show over 8,000 devices registered broadcasting the "Hydra v0.1.8" server, open to the
world.
- The Hydra web site explains:
"Hydra, is a modification of Boa web server, which supports multiple threads of execution, and has more features.
Boa is a high performance web server for Unix-alike computers, covered by the Gnu General Public License.
Hydra was based on Boa version 0.94.13."
Hydra v0.1.8 source code -> http://hydra.hellug.gr/download/ last update was in 2006.
- Overview:
Hydra added additional code to Boa's process_header_end() function. The additional code makes a call to the boa_atoi()
function with req->content_length variable as an argument.
The value of req->content_length is supposed to be set by the function process_option_line(), which sets it
to the numerical value after the 'Content-Length: ' header. However, if the 'Content-Length' header is omitted
from the POST request, the value of req->content_length remains NULL.
Finally, after the call to process_option_line(), read.c makes a call to the process_header_end() function.
The additional code added by Hydra in process_head_end(), then makes an unchecked call to boa_atoi() passing
req->content_length as a parameter, which is NULL. Inside boa_atoi() the atoi() function is called as follows,
atoi(req->content_length) -> atoi(NULL). This results in the segment fault exception being thrown, and the Hydra
daemon crashing.
- Proof Of Concept:
--># curl http://<server-ip>/<dir-to-cgi>/<cgi-script -X POST
(By default CURL will not add the 'Content-Length' header if data is not passed.)
[Vulnerability Type 'Other']
- Null Pointer Reference -> Segment Fault
[Vendor of Product]
- (OpenSource) Hydra Web Server, fork of boa webserver 0.94.13
[Affected Product Code Base]
- http://hydra.hellug.gr/download/
- Personal clone of Hydra v0.1.8 -> https://github.com/fxb6476/Hydra-v0.1.8
[Affected Componenet]
- request.c, read.c, util.c, all contribute to the vulnerability.
[Attack Type]
- Local if the web server is only visible on the local network.
Remote if the web server is visible to the internet.
[Impact on Component]
- Denial of Service
[Discoverer]
- Felix Blanco, Marshall Hallenbeck, Justin Bacco, Datto Inc.
[Reference]
- https://github.com/fxb6476/Hydra-v0.1.8 -> Hydra v0.1.8 clone
- http://hydra.hellug.gr/download/ -> Hydra v0.1.8 original source code download
@fxb6476

This comment has been minimized.

Copy link
Owner Author

fxb6476 commented Oct 12, 2019

CVE_CoreDump
Backtrace leading to segment fault.

@fxb6476

This comment has been minimized.

Copy link
Owner Author

fxb6476 commented Oct 12, 2019

CVE_Exploit
Output from 'curl' after successful exploitation.
You can also try accessing the local web ui, which should have crashed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.